cbcvebase.
CVE-2012-10049
published 2025-08-08

CVE-2012-10049: WebPageTest version 2.6 and earlier contains an arbitrary file upload vulnerability in the resultimage.php script. The application fails to validate or…

PriorityP269critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.06%
60.4th percentile
WebPageTest version 2.6 and earlier contains an arbitrary file upload vulnerability in the resultimage.php script. The application fails to validate or sanitize user-supplied input before saving uploaded files to a publicly accessible directory. This flaw allows remote attackers to upload and execute arbitrary PHP code, resulting in full remote code execution under the web server context.

Affected

1 ranges
VendorProductVersion rangeFixed in
wpo_foundationwebpagetest<= 2.6

Detection & IOCsextracted from sources · hover to see the quote

pathresultimage.php
url/resultimage.php
  • Monitor for unauthenticated POST requests to resultimage.php, especially those uploading files with PHP extensions (.php, .php3, .phtml, etc.) to the web-accessible directory.
  • Alert on web server execution of newly created PHP files in the WebPageTest results/upload directory, which may indicate successful exploitation and remote code execution.
  • Flag any HTTP requests that result in PHP code execution originating from the web server process following a file upload to WebPageTest, as this indicates post-exploitation activity.
  • ·Vulnerability is present in WebPageTest version 2.6 and earlier; verify the installed version before applying detection rules to avoid false positives on patched instances.
  • ·The uploaded malicious file is placed in a publicly accessible web directory, meaning detection should also cover direct HTTP GET requests to newly uploaded files in that directory, not just the upload POST.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.